Welcome reader, this paper is a short attempt at documenting a practical technique
we have been working on. This papers will guide about technique that allows the attackers
(us) gaining access into the process of exploiting a website via File Inclusion (RFI/LFI)
and enlight the way to create own exploit script with perl

This paper is divided into 7 sections but only from section 0x01 to 0x05
are about technical information.

Section 0x01, we talk about general concept of attacking via File Inclusion.
Section 0x02, we give a detail of how to execute arbitrary command via Local File Inclusion
in each approach. Section 0x03, we offer rudimentary commands to create HTTP transaction
with perl and some examples of how to use them. Section 0x04, we assemble knowleadge from
Section 0x01 to 0x03 in order to create own exploit to execute command on target system
via Local File Inclusion. The last, section 0x05, we suggest some methods to protect
your system from File Inclusion Attacking.

In a File Inclusion, Attackers run their own code on a vulnerable website.
The attack involves importing code into a program by taking advantage of the unenforced
and unchecked assumptions the program makes about its inputs. If the attacker can include
their own malicious code on a web page, it is possible to “convince” a PHP script to include
a remote file instead of a presumably trusted file from the local file system.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x01a] – How the attack works for Remote File Inclusion [RFI]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Remote File Inclusion, known as RFI, is the technique to attack website by
injecting php script into target website. It’s including “External” files (PHP Shell)
in a victim website.If attacker exploits successfully, he can execute arbitary command
on victim web server.

** We put “?” at the end of the URL, This makes the script fetch the intended file,
with the appended string as a parameter (which is ignored by the attackers script) **

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x01b] – How the attack works for Local File Inclusion [LFI]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

LFI is a Local File Inclusion. It originates from including “internal” files
in a victim website. In many situations, It is necessary to include content from
local file. But if you use it carelessly, it may lead to LFI vulnerabilty. This method
is often used in Linux to get “/etc/passwd” and sometimes “/etc/shadow”.

It won’t work for RCE because browser will automatically encode special characters
(URL encode) after that it writes encoded request into logfiles (access.log).
So we must Inject malicious code via Telnet, Netcat or Perl script with
socket/useragent/referer that we will guide in next chapter.

== How about error.log ==

Error log is written when the requested file does not exist. Thus we can inject
malicious code by requesting to non-existed file or inject via "Referer".

When we request to PHP page, new process will be created. In *nix system, Each process
has its own /proc entry. /proc/self/ is a static path and symbolic link from lastest process
used that contain useful information. If we inject malicious code into /proc/self/environ, we
can run arbitrary command from target via LFI

[The Question] How to inject code into /proc/self/environ ?
[The Answer] We can inject thru User-Agent.

In Firefox Browser, we use "User Agent Switcher Add-ons" that can specify your user agent
manually Or use perl script to specify user agent with malicious code (See Next chapter).

We saw Vulnerabilities in old version of FCKEditor (www.milw0rm.com/exploits/1484)
that allow many file extension to be uploaded, Some versions we can upload an extension not specified in FCKEditor
Config[DeniedExtensions][File] array such as .php3,.aa,.bb,.cwh,.blahblahblah. If the website have vulnerability
in Local File Inclusion, we can inject malicious code (<?passthru($_GET[cmd])?>) into uploaded file and use LFI
traversal with uploaded file links (/userfiles/upload/shell.cwh) to run arbitrary command.

In this section, we will talk about fundamental of neccessary perl commands used to send HTTP packet to server.
They play a significant role in writing exploit. We recommend you to read this section before step to next section.
But if you are familiar with Socket and LWP, you can skip this section. All commands mentioned in this section will be
used in next section.

Socket is method to create a connection between hosts. we use it to create a connection between our pc
and a remote server in order to send manipulated request to a server. The informations that we have to provide for
a socket are protocol, server address, server port and data. In perl, we use IO::Socket library to create a socket.

print $response->header->as_string; ## $response->header is an object of HTTP::Header. It cannot to print as string,
## so we use as_string method to solve this problem
print "\n";
print $response->content;
[End code]——————————————————————————

++++++++++++++++++++++++++++++++++++++++++
[0x03c] – Condition to use Socket or LWP
++++++++++++++++++++++++++++++++++++++++++

As you can see above, Socket and LWP can send http request to server.
But we have only a few conditions to dicide to use Socket or LWP.

1: We will use Socket when,

– We do not want http response. (Only inject http request packet to server)
– We do not want http request to be encoded. (If we send get method with LWP, the HTTP request will be URL Encoded)

2: We will use LWP when,

– We want http response. (It will be stored in HTTP::Response object)
– Other condition ;D (We think it is more convenient to us than Socket)

We can inject our php code to server in many ways as I mention above. The rest that we have to work
with is creating perl script to do our task.
To create perl script to send malicious request, we will use socket to help this part.
Before writing perl script, we have to know which file we will inject code into and how to do that.

[+] Inject via logfile

Logfiles are written when there is a request to a file on server. Thus we can manipulate
http request in order to inject malicious code.

As previous section, we can inject malicious code into some files on server by example code.
In this section, we will show how to create script to execute our code on server. So, we have to bring
the concept from section 0x03b about LWP library.
(We choose to use LWP because we need http response to show result from execution of our code)

In order to execute code from logfile, we have a problem that we do not know the exact path of logfile.
So we have to find path by looping through the fesible paths that we have and see which file contain
the word "cwhunderground" as we inject in previous example code.

Simple Code for LFI <> RCE Exploit:

———————————————————————————-
use LWP::UserAgent;
use IO::Socket;
use LWP::Simple;

– Consider implementing a chroot jail
– Check user supplied files or filenames
– Strongly validate user input, Ensure that all variables
are properly initialized prior to the first use
– Disable allow_url_fopen and allow_url_include
– Disable register_globals and use E_STRICT to find uninitialized variables
– Ensure that all file and stream functions (stream_*) are carefully vetted
– To avoid being injected with remote files, it is essential to specify exactly
where the file should be located, e.g. its full path
– Secure Code, If you want to use include() function, For example:

—————————————————-
This paper is written for Educational purpose only. The authors are not responsible for any damage
originating from using this paper in wrong objective. If you want to use this knowleadge with other person systems,
you must request for consent from system owner before
—————————————————-